The NIST (National Institute of Standards and Technology) provides an introductory resource guide for implementing HIPAA (Health Insurance Portability and Accountability Act) Security Rule, including handy tables that breakdown the safeguards that covered entities and business associates need to abide by if they handle PHI, or ePHI (electronic protected health information).

This multi-part series on HIPAA safeguards and compliance includes a detailed description of key activities and questions you can ask yourself as a checklist to ensure you meet the standards. The safeguards include:

The first part in this series describes the Administrative Safeguards that include implementing company policies and procedures related to security controls to meet HIPAA compliance.

Administrative Safeguards (164.308(a)(1))

Identify Information Systems with PHI

Action: Identify information systems, hardware and software used to collect, store, process or transmit PHI. Review your business functions to verify ownership and control of your information system components.

Ask yourself: Do you take regular inventory of your hardware and software (including removable media and remote access devices)? Is your system configuration documented? And have you identified your information type/use and how sensitive your information is?

Ask yourself: What are the current and planned controls? Is your facility or your data hosting facility in a region prone to natural disasters? Has hardware and software been checked for enabled security settings?

Implement a Risk Management Program

Action: Implement security measures to comply with 164.306(a).

Ask yourself: Do your current safeguards protect the confidentiality, integrity and availability of PHI, including anticipated threats or hazards to the security/integrity of PHI? Have you checked this compliance against your policies and procedures?

Acquire IT Systems and Services

Action:Implement technology, hardware, software and services as needed to protect PHI – match your IT solution to your environment and take into consideration how sensitive the data is, your security policies, procedures and standards, and the resources you have available for operation, maintenance and training.

Ask yourself: How will the new security controls work within your existing IT infrastructure? Have you done a cost-benefit analysis of investment vs. identified security risks? Has a staff training strategy been developed?

Create and Deploy Policies & Procedures

Action: Implement new risk mitigation controls by department, including management, operational and technical. When creating your policies, establish roles and responsibilities per control for certain individuals or departments.

Ask yourself: Do you have a documented plan for system security and a formal contingency plan? What’s your employee communication plan? And are the policies and procedures reviewed and updated when major changes take place in your company or as needed?

Develop and Implement a Sanction Policy

Action: Create a policy that addresses any employee offenses that compromise the HIPAA regulations and safety/privacy of PHI, including reprimands, termination, etc.

Ask yourself: Is there a documented and formal process in place addressing PHI and system misuse, abuse and fraud? Have employees been alerted about policies regarding sanctions for the misuse and disclosure of PHI?